So Hip to Be Square on HIPAA

Donna Lee Gardner

Let’s take a look at the ModelNotices of Privacy Practices Published by HHS to find answers to many occupational health big HIPAA Questions.

Does all software follow the HIPAA guidelines for WC?

The privacy rule permits covered entities to disclose protected health information to workers’ compensation insurers, state administrators, employers, and other persons or entities involved in workers’ compensation systems, without the individual’s authorization:

  • As authorized by and to the extent necessary to comply with laws relating to workers’ compensation or similar programs established by law that provide benefits for work-related injuries or illness without regard to fault.
  • To the extent, the disclosure is required by State or other law.
  • For purposes of obtaining payment for any health care provided to the injured or ill worker.

There are also disclosures with individual authorization. Covered entities may disclose protected health information to workers’ compensation insurers and others involved in workers’ compensation systems where the individual has provided his or her authorization for the release of the information to the entity.

What information should not be disclosed to employers?

  • PHI is obtained in the course of a physical exam before hiring employment.
  • PHI that is not relevant to a WC injury discovered in the course of post-accident exam.

What documentation should be shared when conducting physicals?

disclosures

What forms of authorization should be signed before a physical?

  • Authorization from the employer
  • Authorization for PPE

Does HIPAA guidelines apply to DOT?

Regulatory requirements take precedence over HIPAA. There are potential subtle interpretations that can cause significant problems for the medical examiner. What information must or can be turned over to the carrier is a legal issue, and if in doubt, the examiner should obtain a legal opinion. The Federal MotorCarrier Safety Regulation 391.43 does not address or prohibit the sharing of medical information by medical examiners.

Does HIPAA apply to federally regulated drug and alcohol tests?

No. HIPAA applies only to clinical medicine when a diagnosis is being sought through a vast array of medical procedures utilized to establish a diagnosis for a given medical condition and where a medical professional is involved in making that diagnosis. However, in accordance with 49 CFR part 40, subpart P (Confidentiality And Release of Information), drug and alcohol test results are to be kept confidential and not released except to the tested individual.

A Federally required drug and alcohol test does not establish a diagnosis but rather determines the fitness of an individual to perform safety-sensitive functions. There is no clinical diagnosis being made, just a determination of fitness to work. Furthermore, HHS agreed that there is no conflict between the HIPAA rules and DOT requirements. A workplace drug test is not ordered by a medical professional but is done as part of a company’s policy to achieve a drug-free workplace. That alone takes it out of the realm of clinical medicine.

A workplace drug test is forensic medicine and not clinical medicine as the tests are done to meet forensic standards and not to establish a diagnosis. Where a workplace wellness program is offered by an employer directly and not as part of a group health plan, the Health information that is collected from employees by the employer is not protected by HIPAA Rules. However, other Federal or state laws may apply and regulate the collection and/or use of the information.

According to HIPAA, employers have access to some protected health information if the disclosure is required to comply with laws relating to workers’ compensation. HIPAA also allows disclosure per the requirements of state or federal laws and regulations. Thus, clinicians should be mindful of confidentiality when recording patient information in occupational medical records.

Occupational health

Clinicians regularly keep personal health information (i.e. medical conditions not
related to work) separate from exposure records. Certain OSHA standards require
employers to obtain written opinions from clinicians performing required medical surveillance examinations.

These standards typically state that “the employer shall instruct the physician not to reveal the written opinion specific findings or diagnoses unrelated to occupational exposure.”

However, DOT only requires that drivers be issued a brief medical examiner’s
certificate that, while noting some specific medical information, does not provide
much in the way of detail. Likewise, motor carriers are required to keep only the
certificate in the driver’s qualification file.

As a general rule, covered entities must make reasonable efforts to limit the disclosure of protected health information to the “minimum necessary to accomplish the intended purpose of the use, disclosure request.” Employers should develop policies and procedures to ensure that the
minimum necessary information is being requested or disclosed. Companies may provide a copy of the medical examiner’s certificate without violating HIPAA.

HIPAA permits agencies to obtain medical information when required to do so by law. DOT is responsible for reviewing drivers’ medical information to ensure they are physically able to drive, and disclosures to DOT for this purpose are “required by law.”

In this capacity, companies are not bound by the“minimum necessary disclosure” rule, but
providing just the certificate would comply with that rule just the same. ←

Thank You To Our Annual Sponsors

Join Our Network of Occupational Health Professionals

Name(Required)